Online Armor & Process Guard: need both?

Discussion in 'other anti-malware software' started by Leitchy, Sep 13, 2005.

Thread Status:
Not open for further replies.
  1. Leitchy

    Leitchy Registered Member

    Joined:
    Jun 28, 2005
    Posts:
    21
    Location:
    Canberra, AU
    I currently run Process Guard and Online Armor on all my systems, but I'm beginning to wonder if I need both. I seem to be finding that the majority of things I do I'm being alerted by BOTH systems.

    There are many people with far more expertise in these matters than I; am I getting any additional benefit from running both Process Guard and Online Armor, and if one of them should go, which one should it be? Please note I also run other protection software; it's just these two I'm concerned with at the moment.

    Please understand that I'm really happy with both, I own multiple copies of both, and I can live with having both on all my systems. However, I don't like to have apps running on my systems if they don't need to, and if I decide to uninstall one of them, I need to have confidence that I'm not reducing my protection in some significant way that I'm unaware of. So I'd appreciate any thoughts on the question (or point me to a relevant thread).
     
  2. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    The only place that they really overlap, atm, is execution control. I just disabled PG's execution control, letting OA handle it. Other than that, they cover different areas, at least as they are now.
     
  3. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    DOH...why didn't I think of that...disable PG's exe protection !!! off to do that right now !

    And Notok is right, exe protection is about the only overlap between the two programs.
     
    Last edited: Sep 14, 2005
  4. Pollmaster

    Pollmaster Guest

    I was wondering why you didn't do that too, but forgot to mention it.

    Online Armor adding kernel protection soon. Online Armor has generic keylogger checking doesn't it? Is it more sophiscated comapred to PG's blocking global hooks?
     
  5. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    if u disable PG execution protection, doesnt it also disable the other protection?
     
  6. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Nope, in PG you can disable each protection item individually.
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,049
    Why not let both do the execution protection. I do and haven't had any issues. Reason I do is I like the 2nd chance concept. Every now and then I okay something, and then think did I want to do that. Having both running gives a 2nd chance to change my mind and block it.

    Pete
     
  8. Pollmaster

    Pollmaster Guest

    Wow are you joking? Should have guessed you weren't, since you run everything from PG to OA to Prevx.

    Actually, it's not your second chance, its your third chance.

    1st chance, you double click on the exe in explorer.
    2nd chance OA comes up
    3rd chance PG comes up


    Maybe you could ask the people at PG or Online armor, to add a 4th or 5th chance.

    1st prompt : Are you sure? Yes/No <Click Yes>
    2nd prompt : Are you very sure? Yes/No <click Yes>
    3rd prompt: Are you very very sure? Yes/No/ Darn it Yes means yes even if you asked a thousand times!!!

    :)
     
    Last edited by a moderator: Sep 15, 2005
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,049
    No. Why would you ask that.
     
  10. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    Obviously this is "user preference". It's nice to know that a person can go either way. ;)
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,049
    Hi Pollmaster

    Gee, if I didn't know better I'd think you were making fun of me. :D Thats Okay. BUT..... Recognizing that the one of the biggest problems dealing with the security issue is the human factor, ie the user. I like having the 2nd chance. Clicking on explorer isn't the first chance, because by time I can do that, I won't get any challenges. It is the unexpected program that is fired up by something else that is the issue. The Prevx folks found that almost 50% of the time a user allowed malware to run. For me to assume I would never do that by accident, would be a bit arrogant on my part. Also the concept of redundancy is a faily standard one. Don't know if you travel much, but I wonder if you'd be comfortable flying on a plane that had only one pilot and absolutely no redundancy in it's systems.

    Anyway since these programs coexit harmoniously, why not have them duplicate effort?

    Pete
     
  12. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    Only if I was the pilot :)
     
  13. Pollmaster

    Pollmaster Guest

    Why? There is always the first time you run something after installing it. Those cases will far outnumber the rare case where some dangerous malware manages to run via a buffer overflow exploit in your browser etc.

    I suspect, the people who let malware through, do so out of ignorance, or impatience, rather than accident misclick. You know the type , click on anything to get rid of it. For such people a double prompt won't achieve anything anyway. In fact, flashing more leads to popup fatiage and contributes to people just clicking through.

    Personally, I can't think of anytime where I could benefit from a double prompting, I suspect if I made a wrong decision, I wouldn't know it not immediately anyway, so another prompt appearing 1 second later , won't make any difference.


    Thank you for explaining the concept of redundancy, let me introduce you to another concept, it's called overkill. Or better yet the tradeoff concept between absolute security and ease of use.

    Honestly, if you follow your line of reasoning where you fear a accidental misclick and hence use this to justify double prompts, you would have to install and run at the same time 2 firewalls, 2 registry monitors etc etc.

    Or as I said before, at the very least, make your software, verify your decision twice (or better yet, require 2 or more clicks to allow) before going ahead.

    It's not such a bad idea in theory to force users to jump through loops for important decisions (accepting unsigned activex, Java applets for browsers for example), but you have to pick your battles and reserve that for truly critical and rare events.

    I just don't think it's realistic for most people to do it for something as troublesome as execution monitoring. To actually have 2 programs , so that it is done twice, my mind reels....

    Of course, Peter disagrees, but not everyone (not even in the rarified airs of Wilders) has the patience to run online armor/prev1/PG at the same time.



    Lots of reasons, computer resources, double the time spent handling prompts to the same event... etc... I'm also not certain if you can ever be sure that you work harmoniously, a fundamental security rule is to Keep things simple and reduce complexity.

    I know the first isn't a big deal for you, and the second probably isn't either because you enjoy playing and "beta-testing" these tools, but as much as I share this mind set, even I draw the line at excution protection x2.

    I just don't enjoy, having to click 3 times to launch something new i just installed. It gets old fast.

    And if this new software happens to require firewall connections, add at least 1 more click. If it happens to require global hooks or driver install (fairly common), 1 more click.

    And this excludes all the other clicks, for installing the new software in the first place, clicks for the installers, registry entries, file/kernel changes (if driver installs) etc.

    All those clicks , adds up to quite a bit, for every new program you install.
    Now Imagine if everything mentioned was double monitored. :)

    I might turn them both on for testing and comparison purposes (eg comparing execution monitoring in PG,OA,SSM) , but for normal use, I figure out which is more robust, and turn off the other one.

    Of course, there is a small chance of a misclick (if it's due to lack of knowledge, double monitoring isnt going to save me), but I'll take my chances in the trade off.

    Or if I had a parachute, which I actually I have due to this thing called "layered security".....
     
  14. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    As siliconman01 pointed out, it's nice to have the choice. I ran both for a little while during testing and found that it did have it's advantages, although I peronally opted for just OA for the time being. I don't see anyone here going on at length to extol the virtues of double execution protection, so I'm not quite sure where you're going here, Pollmaster.
     
  15. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    out of curiousity, why did people suggest disabling PG execution protection and not OA's?
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,049
    To go to the lighter side, my only comment on Pollmasters last post is I can do a lot of double clicking for the effort of writing a long post. Kidding of course.

    Pete
     
  17. Alantir

    Alantir Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    12
    At least in my case, I like that Online Armor alerts me about .bat, .cpl, .msc and other types of files trying to execute as well. OA also can track the changes made by programs if you choose to do so, allowing to revert the changes if needed.

    Cheers
     
  18. Pollmaster

    Pollmaster Guest

    Peter's lecture on redundancy sounds to me exactly like an attempt to extol the virtues of double execution.
     
  19. Pollmaster

    Pollmaster Guest

    Another reason not to use double monitoring. It would be a pity if all that double clicking, deprived all of us a knowledgable response from you. ;)
     
  20. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    This is a lecture?!? Everything else was a direct response to you.. I think you're officially trolling now, Pollmaster.
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,049
    Thanks Notok.

    Pollmaster. I was just responding to your questioning why on earth I would do what I am doing. Bottom line...Different strokes for different folks. But we are all, after the same thing.

    Cheers,

    Pete
     
  22. Pollmaster

    Pollmaster Guest

    Notok, if expressing surprise and disagreeing with a post is called trolling, I'm sure your post is trolling as well.

    And yes, Peter was responding to me, but it still is a lecture on the virtues of double protection, which prompted my overly long response. But what's your point?
     
  23. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Once you have permissions sorted for your regularly-used programs, having to deal with multiple popups for a new (or changed) program should be an infrequent occurrence so the idea is not as impractical as it may seem at first glance.

    I have this with Process Guard and System Safety Monitor - SSM's popups are more informative (and easier to read since PG uses tiny fonts for the details) but SSM is less robust on my setup so PG is there should it fail for any reason.
     
  24. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I agree w/ Atlantir, it covers more and has the option to roll-back (effectively giving you a means of 'single click disinfection' should I accidently allow something), but the kicker for me was that it handles things like rundll32.exe properly without having to click 'allow' every time I go into the control panel or insert a CD. OA also alerts earlier than PG does.. that may or may not be a big deal, but it was just one more thing to tip the balance towards OA for me. I did notice that when I ran a trojan downloader that I have tucked away (small.aio, I believe), it was able to spawn IE before PG alerted, not so w/ OA.
     
    Last edited: Sep 16, 2005
  25. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Yes it would be nice to see a kernel based stable and robust solution that built on the strengths of both PG and SSM and addressed some of the weaknesses as well

    I believe that OA uses mad code hook so it is doing user mode hooking, this is the alert for the kernel mode driver that comes with mad code hook so it may well be doing some kernel hooking as well (the madKernel component).
    People love having arguments about kernel mode and user mode hooking, and there are appropriate times for both.

    You have to consider that all system call execution paths eventually lead into kernel code and for that reason the kernel based solutions will always have the last say on what to Allow.
     
    Last edited: Sep 16, 2005
Loading...
Thread Status:
Not open for further replies.